CVE-2024-39877

Apache Airflow 2.4.0, and versions before 2.9.3, has a vulnerability that allows authenticated DAG authors to craft a doc_md parameter in a way that could execute arbitrary code in the scheduler context, which should be forbidden according to the Airflow Security model. Users should upgrade to version 2.9.3 or later which has removed the vulnerability.
Configurations

Configuration 1 (hide)

cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*

History

01 Aug 2024, 13:56

Type Values Removed Values Added
CWE CWE-277

19 Jul 2024, 16:04

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 8.8
CPE cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*
First Time Apache airflow
Apache
Summary
  • (es) Apache Airflow 2.4.0 y versiones anteriores a 2.9.3 tienen una vulnerabilidad que permite a los autores de DAG autenticados crear un parámetro doc_md de manera que pueda ejecutar código arbitrario en el contexto del programador, lo que debería estar prohibido según el modelo de seguridad de Airflow. Los usuarios deben actualizar a la versión 2.9.3 o posterior, que eliminó la vulnerabilidad.
References () https://github.com/apache/airflow/pull/40522 - () https://github.com/apache/airflow/pull/40522 - Issue Tracking, Patch
References () https://lists.apache.org/thread/1xhj9dkp37d6pzn24ll2mf94wbqnb2y1 - () https://lists.apache.org/thread/1xhj9dkp37d6pzn24ll2mf94wbqnb2y1 - Mailing List

17 Jul 2024, 08:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-07-17 08:15

Updated : 2024-08-01 13:56


NVD link : CVE-2024-39877

Mitre link : CVE-2024-39877

CVE.ORG link : CVE-2024-39877


JSON object : View

Products Affected

apache

  • airflow
CWE
CWE-94

Improper Control of Generation of Code ('Code Injection')

CWE-277

Insecure Inherited Permissions